attachmentgenie / attachmentgenie-ssh Goto Github PK

It looks like PermitTTY is not a valid keyword in sshd_config för Ubuntu 12.04 (precise).

These 3 options are valid for PermitRootLogin as well as yes and no. We were previously running an older version of the module, however we've recently updated to puppet 4.x and version 2.1.0 of the module, and noticed that line 161 of server.pp now restricts valid answers to yes or no. This regular expression should be expanded to support the other 3 answers as valid also.

Hi,

Really new to puppet, but it seems that the port parameter do not work properly. Here is my error message :

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter port on Class[Ssh::Server] at /etc/puppet/manifests/site.pp:46

This is my site.pp file section which instantiate your class (same as in your sample) "

class { 'ssh::server':
                port => 2009
                permit_root_login => 'no',
        }

When I remove the port param, no problem.

I checked on the Server class but I did not see any ports var , but it seems locate on the params file.
I try to instance the ssh::Params directly from my site.pp file, but it does not seems to work that way :

Error 400 on SERVER: Duplicate declaration: Class[Ssh::Params] is already declared; cannot redeclare

What am I doing wrong ?

Hi,

Is it possible that the resource file is missing for the user define ?

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'File[/home/username]' for relationship on 'Ssh_authorized_key[username@host]' on node...

Hi,

I am new to Puppet and I use your ssh module, but I can't add several public keys to the same user?

I tried this but it did not work :

ssh::user { 'my_user':
  key => ['akalkalkalka', 'bkblkblkblkb'],
  comment => ['key1', 'key2']
}

and if i try this too :

ssh::user { 'my_user':
  key => 'akalkalkalka',
  comment => 'key1',
}

ssh::user { 'my_user':
  key => 'bkblkblkblkb',
  comment => 'key2',
}

I have "duplcated content" !

Is it possible to do what I need with your module ?

Hi,

Have you considered to support private and public server host keys content?
I mean this files:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub

Doing so you can ensure that a host, even after reinstallation, will have the same host key, so other hosts that usually connect to this via ssh will not throw the typical: "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED". This is important when you have some automatic procedures that relay on interchanged fingerprints.

Do you see any security issues here?

Regards.

I got an error as in the title while I want to apply the module. The /home/username is an existing directory.

(I did notice that you have started Ubuntu 20.04 support in master but not yet released.)

I get these warnings on a Ubuntu 20.04 LTS but I think some of it might be needed to be changed for as old as 16.04.
I looks like some defaults may need to be updated and some changes made in the template?

I'm sure I can create a local workaround by using my own settings but it would be nice if it wouldn't be needed.

/etc/ssh/sshd_config line 12: Deprecated option UsePrivilegeSeparation
/etc/ssh/sshd_config line 13: Deprecated option KeyRegenerationInterval
/etc/ssh/sshd_config line 14: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 21: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 25: Deprecated option RhostsRSAAuthentication
/etc/ssh/sshd_config line 43: Deprecated option UseLogin
/etc/ssh/sshd_config line 53: Bad SSH2 mac spec 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'.

Thanks for the module, it's been helpful.

Currently, the module allows root login, though it suggests it's bad practice.

For key management (i.e. ssh::user), it does not consider the case of root, assuming a path of '/home/'. I would expect this as oversight, but I'm asking just in case it's not.

Would you welcome a patch to support setting root ssh keys, or has that functionality been purposefully left out to discourage the practice?

Thanks.

In Ubuntu 18.04 OpenSSH will be upgraded to version 7.6p1.

According to the release notes the MAC hmac-ripemd160 is removed.

What I can see this default is one of the only things needed to be changed but then I haven't done any huge testing.

Release notes: https://www.openssh.com/txt/release-7.6

A workaround is to set the mac-parameter to supported MACs.

the module should, using its default parameters, pass all tests implemented in the dev-sec ssh hardening inspec profile [1]

[1] https://github.com/dev-sec/tests-ssh-hardening

Dear @attachmentgenie Awesome work on this puppet module. Would you be interested in bringing your expertise over to https://github.com/dev-sec/puppet-ssh-hardening?

See #19 for details. Just leaving a note here so someone doesn't get surprised :(